Toward a Passwordless Future

29 点作者 freddyym3 个月前

16 条评论

The big thing missing from the article is how a device that contains many passkeys is any different from a password manager that enforces security settings. I don’t worry about passwords my password manager generates getting compromised because I use at least 24 random characters (assuming my password manager is using a cryptographically secure PRNG that guarantees some level of randomness, giving us more than 128 bits). Assuming I use that to manage the password to my email, I really only have to worry about my password manager key being compromised. I only used my password manager on trusted devices so I really only have to worry about my trusted devices being compromised.If I use passkeys, I have to worry about my trusted devices being compromised. According to the article, “as long as you can remember your phone password, you can log in to your accounts.” That sounds like my password manager. The other benefits also sound like a combination of my password manager and privacy focus. I’m not saying this is bad; I just don’t see how it’s different from a security-conscious status quo.

评论 #43305558 未加载

评论 #43305531 未加载

carlhjerpe3 个月前

I really don't want to use Passkeys until they can be stored in my password manager of choice on Linux, Android and Windows.

评论 #43305383 未加载

评论 #43305589 未加载

评论 #43305435 未加载

评论 #43306077 未加载

评论 #43305429 未加载

kemotep3 个月前

I wish first and foremost that all my accounts could support passkeys/passwordless sign ins instead of only like 12/60.My second wish would be that passkeys should be as easy to work with as ssh keys. Somehow, they tend to be more complicated. Asking you if you want to use your phone or security key (when you have neither, you are using a password manager) and often failing to immediately detect your preferred method of storing them, defaulting to Google, Microsoft, or Apple's solutions.

0xbadcafebee3 个月前

Passkeys are not a panacea. They're an amalgam of multiple standards that half the time aren't implemented right or not fully supported. It's the industry's attempt to design-by-committee a one-size-fits all solution to many, many different problems. News flash: one-size-fits-all fits nobody well.Passwords are a perfectly fine single factor. Add more factors to get more security, in specific use cases where they make sense. Passkeys don't fill the use case that a single-factor like passwords do.Password Managers are also perfectly fine when combined with multiple factors and attack mitigations (and are certainly no worse than Passkeys we have now, key access managed by a central piece of software/key control/authorization). They solve many different use cases without breaking others. They're customizable, and not overly-dependent on standards. They are a loosely-coupled interface. They can be synchronized for multiple device/site access. They can be upgraded to support an infinite amount of security mechanisms. They can be changed in backwards-compatible ways, and they don't force one-size-fits-all on anybody. They even support Passkeys without forcing you to use them (though of course lots of Passkey software ignores the fact that you might have a password manager, and forces you to use the browser's Passkey store or nothing).You want to uniquely identify a device? Fingerprint it on login. Having a separate passkey per device isn't any better, because if the attacker can get the device fingerprint, they can also probably get the passkey, because they have access to the device. And password reset still has to be a thing, because we all lose devices, backup codes, etc, so it's not like there isn't an easier attack anyway.How is the passkey that much better than client-side certificates from 15 years ago? That was abandoned because of all the problems around key management; and now you want to bring back key management?!Please stop trying to solve a problem by creating more problems. This is all about use cases. Just let users, and companies, decide what use cases they'll support. Don't force everyone to use a crap solution just because it makes big corporations happy.

sedatk3 个月前

The article praises passkeys for not even needing email for login, but omits to mention recovery flow. How do you recover your account if you lost your access to the passkey provider, and you didn't provide an email address?So, I think "not even needing email" is unlikely for foreseeable future, unless we find other ways to authenticate people reliably.

评论 #43306345 未加载

zabzonk3 个月前

A password, and extra secret information on things like my bank account have always worked well for me. I simply cannot stand 2FA using a smartphone. Why? Because I don't have or want one. Luckily, my bank allows use of a landline for 2FA, which works perfectly, but I dread the day they stop supporting it.Also, the whole bloody thing with passwords is noxious. I don't want to login to your site, I just want to read some stuff.

xet73 个月前

I wish SQRL would become more popular.<a href="https://www.grc.com/sqrl/sqrl.htm" rel="nofollow">https://www.grc.com/sqrl/sqrl.htm</a>

评论 #43305743 未加载

ajsnigrutin3 个月前

So... what happens with passkeys if you lose/break/someone_steals your phone?I'm talking about normal users, without backups.

评论 #43305532 未加载

评论 #43305216 未加载

评论 #43305238 未加载

评论 #43305376 未加载

评论 #43305677 未加载

评论 #43305440 未加载

ziggure3 个月前

The problem with passkeys is that they couple a security credential to a device containing lots of personal information. I don't take my phone into certain countries where I sometimes travel, but I do bring my yubikey. I get the security benefits without the exposure of everything that's on my phone.

brickfaced3 个月前

So it's effectively SSH keys, but for regular app/site logins with a nicer UI.

评论 #43305575 未加载

derbOac3 个月前

<a href="https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my-digital-life/" rel="nofollow">https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my...</a>

immibis3 个月前

I've only heard bad things about privacyguides.org.<a href="https://www.reddit.com/r/PrivacyGuides/comments/thnjjf/privacyguidesorg_considered_harmful/" rel="nofollow">https://www.reddit.com/r/PrivacyGuides/comments/thnjjf/priva...</a>

评论 #43306019 未加载

CatWChainsaw3 个月前

Still a no from me. Right now passkeys are just a way for services to exert more control over users. I don't see that changing for decades at minimum.

评论 #43305615 未加载

rijenkii3 个月前

Article talks how password managers are bad because they are a single point of failure, and then suggests syncing passkeys between devices using... password managers.What? Who wrote this?

callc3 个月前

I am largely unconvinced of the downsides of passwords presented in the article. Especially the historical angle. Old != bad. In fact, it is a testament to the fact the the password system is simple enough to be done analog, easily understood without any training.My question to the people here is are passkeys actually the future? Or are they an over-hyped over-engineered being forced on everyone? I say this as someone not knowing much of passkeys. And I'm not a fan of the "holier than thou" feeling from people proselytizing passkeys. Take the public's / user's doubts seriously. You wouldn't break into someone's home and force them to get a different lock mechanism for their safe, or front door.---Counter-points to "password bad"> Password OverloadUse a password manager.> Email RequirementPasswords don't require email. Email is a used as user ID commonly. You can also use other mechanisms such as "store this long key in your records and if you forget your U+PW then use it for recovery".> Single Point of Failure ... email acts as a one-stop shop for attackers looking to hack your accounts, either by getting into your email account itself or by sending you convincing password reset emails that send you to a phishing page ...I agree. Solely having "what you know" info makes phishing possible.> Service Provider NegligenceA weak argument that could be applied anywhere to "but I don't trust them to do the right thing". All we need is good U+PW auth libraries and clear education like <a href="https://thecopenhagenbook.com/" rel="nofollow">https://thecopenhagenbook.com/</a>. Give actually big fines for companies that have breaches, then magically security will get better.> Human Error ... passwords rely on randomness to be secure, but they also rely on humans to generate them... Humans are very bad at generating random numbersUse a password manager. This article reeks of a wannabe expert tone with the certainty, finality, and generality (I can speak confidently yet have an out because I used the word "most" or "possibly"!) of its claims.> Imagine if every time you connected to a website with HTTPS, you had to come up with your own encryption key. Would that be a secure system?I can't take the author seriously with these arguments. Put your big boy/girl pants on and use your brain, stop using hypothetical straw-mans to easily knock down.

sdsd3 个月前

Cool but this (ie pw's) isn't how to steal accounts anyway. Eg when wanting to use AI models for free, just spin up a github dork, no passwords required. Eg, /"Authorization: Bearer xai-.+"/ gives free Grok API key. Try a few until one works and viola.Plug in the API key and now my app is grokified. or if I'm really wanting that classic experience, ask the free version of grok to spin up a react interface that uses the api key, and then plug in. Wow.Or if really desperate, make a quick fake NPM package, ask rando dev to npm install it bc its not working with their FOSS project or whatever, say nvm it works now! And it exfiltrates the API key someone wants.I'd never do any of this bc I'm a latter day saint, but maybe I would if I needed a key in a jiffy who even knows